Security Guide for SAP BW

PDF download from SAP Help Portal:

http://help.sap.com/saphelp_nw74/helpdata/en/4f/0b56878a585f86e10000000a42189b/frameset.htm

Created on July 02, 2015

The documentation may have changed since you downloaded the PDF. You can always find the latest information on SAP Help Portal.

Note

This PDF document contains the selected topic and its subtopics (max. 150) in the selected structure. Subtopics from other structures are not included.

© 2015 SAP SE or an SAP affiliate company. All rights reserved. No part of this publication may be reproduced or transmitted in any form or for any purpose
without the express permission of SAP SE. The information contained herein may be changed without prior notice. Some software products marketed by SAP SE
and its distributors contain proprietary software components of other software vendors. National product specifications may vary. These materials are provided by
SAP SE and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be
liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express
warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty. SAP and other
SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP SE in Germany and other
countries. Please see www.sap.com/corporate-en/legal/copyright/index.epx#trademark for additional trademark information and notices.

Table of content

PUBLIC Page 1 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
 Table of content
1 Security Guide for SAP BW
2 User Management and Authentication
2.1 User Management
2.2 Authentication and Single Sign-On
3 Authorizations
3.1 Authorization Log for Analysis Authorizations
3.2 Checking Analysis Authorizations as Another User
3.3 Using ABAP Routines in the Analysis Process Designer
4 Network and Communication Security
4.1 Communication Channel Security
4.2 Communication Destinations
4.3 Network Security
4.4 Web Services und ICF Services in BW
5 Security for Data Storage
6 Security-Related Logging and Tracing
7 Further Security-Relevant Information
8 Security-Related Information for BI Java
8.1 User Management and Authentication
8.1.1 User Management
8.1.2 Authentication and Single Sign-On
8.1.2.1 Calling BEx Web Applications from the Portal
8.1.2.2 Information Broadcasting as Background Processing
8.1.2.3 Information Broadcasting in the Web
8.1.2.4 Publishing to the Portal
8.2 Network and Communication Channel Security
8.2.1 Communication Channel Security
8.2.2 Communication Destinations
8.3 Security with Data Storage
8.4 Other Security-Relevant Information

PUBLIC Page 2 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
 Security Guide for SAP BW

Use

Caution
This guide does not replace the administration or operation guides provided for productive operations.

Target Group
Technology consultants
Security consultants
System administrators
This document is not included as part of the Installation Guides, Configuration Guides, Technical Operation Manuals, or Upgrade Guides. These guides are only
relevant for a certain phase of the software life cycle, whereas the Security Guides provide information that is relevant for all life cycle phases.
Why is Security Necessary?
With the increasing use of distributed systems and the Internet for managing business data, security requirements are also becoming more prominent. When
using a distributed system, you need to be sure that your data and processes support your business needs without allowing unauthorized access to critical
information. User errors, negligence, or attempted manipulation of your system cannot be allowed to result in loss of information or processing time. These security
requirements also apply to SAP BW (BW). We have provided this security guide to help you to make BW more secure.
SAP Business Warehouse integrates, transforms, and consolidates data from all areas of an enterprise so that it can provide this information for analysis,
interpretation and distribution. This includes confidential corporate data, such as personal data from personnel administration. This data forms the basis of
decisions and target-oriented actions in all enterprise areas. Secure data access and data integrity are therefore of paramount importance.
The following examples illustrate some of the risks that the BW system can be exposed to:
Attacks from the Internet or intranet when using SAP BEx Web functionality and Web services
Infringement of data protection guidelines as a result of unauthorized access to personal data
About This Document
The Security Guide provides an overview of the security-relevant information that applies to SAP BW and SAP Business Explorer (SAP BEx).
Important Security Information
SAP BW and SAP BEx build on Application Server ABAP, Application Server Java in cases where usage type BI Java is used, and on the portal. The Security
Guide for SAP NetWever BW describes additional security information or information that deviates from that which applies to usage types AS ABAP and AS Java.
The table below provides an overview of other relevant security guides:

Application Security Guide

Application Server ffor ABAP SAP NetWeaverSAP NetWeaver Application Server ABAP Security Guide
Application Server ffor Java SAP NetWeaver Application Server for JavaSAP NetWeaver Application Server for Java
Security Guide

Enterprise Portal Portal Security Guide

Knowledge Management Knowledge Management Security Guide

Process Integration SAP Process Integration Security Guide

You can find a complete list of all available SAP Security Guides in the SAP Service Marketplace at http://service.sap.com/securityguide .

Additional Information
For more information about specific topics, see the Quick Links in the table below.

Content Quick Link on SAP Service Marketplace or SCN

Security http://scn.sap.com/community/security

Security Guides http://service.sap.com/securityguide

Related SAP Notes http://service.sap.com/notes

http://service.sap.com/securitynotes

Released platforms http://service.sap.com/pam

Network Security http://service.sap.com/securityguide

SAP Solution Manager http://service.sap.com/solutionmanager

SAP NetWeaver http://scn.sap.com/community/netweaver

8.1 User Management and Authentication

Use
SAP BW (BW) uses the user management and user authentication mechanisms of the SAP NetWeaver platform, especially the mechanisms in SAP NetWeaver
Application Server for ABAP and Java. For this reason, the security recommendations and guidelines for user management and authentication contained in the
SAP NetWeaver Application Server for ABAP Security Guide and the SAP NetWeaver Application Server for Java Security Guide are also valid for BW. In
addition to these guidlines, the following sections also provide you with specifically BW-related information about user management and authentication.

8.1.1 User Management

PUBLIC Page 3 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
 8.1.1 User Management

Use
User Management for SAP BW uses the mechanisms - such as tools and user types - contained in the SAP NetWeaver Application Server.
For more information, see the User Management section in the Security Guide for SAP NetWeaver.
User
Standard users that are created when the BW system is installed
More information: Protecting Special Users .

Caution
Change initial passwords after installation to ensure that standard users cannot be misused.

Standard users that are specified when Application Server Java is installed.
For more information, see User Administration and Standard Users, in the SAP NetWeaver Application Server for Java Security Guide.

Caution
Change initial passwords after installation to ensure that standard users cannot be misused.

Users in BW and SAP Source Systems

The following table provides an overview of additional users required when using BW and SAP BEx. These users are not delivered and do not have default
passwords.

System User Type Description

BW Database Users Database Users You can find information about database
users in the Security Guide for operating
systems and database platforms.

BW Background Users in BW Technical User The background user in BW is used for

communication with the BW source
systems, for the extraction of data, and for
background processes in BW. You create
the background user in Customizing in
SAP BW and assign the user a password
(under Automated Processes Create
User for Background Processes ). The
system prompts the user to enter a
background user password when
connecting to the source system. The
authorization profile for the background user
is S_BI-WHM_RFC (see Authorization
Profiles for Background Users ).

SAP Source System Background Users in the SAP Source Technical User The background user in the SAP source
System system is used for communication with
BW and for the extraction of data.
If you connect an SAP source system to
BW, the background user is created in the
source system. You can create the user
directly in the source system in user
maintenance. In BW Customizing, you can
enter a name in the Implementation Guide
to use as the default name for the
background user when you connect a new
source system (under Connections to
Other Systems Connections Between
SAP Systems and BW Systems
Maintain Proposal for Users in the Source
System (ALE Communication) ). If the
source system you are using is also a BW
system, SAP recommends that you create
the background user for BW and the
background user for the (BW) source
system completely separately. The
authorization profile for the background user
in the source system is S_BI-WX_RFC
(see Authorization Profiles for Background
Users ).

BW Administrator Individual User The BW administrator is responsible for

connection to source systems, loading
metadata and implementation of BW
statistics. S/he develops the data model and
plans and monitors the processes in BW
(such as the loading process).
More information:

PUBLIC Page 4 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
 Authorization Profiles for Working with the
Data Warehousing Workbench

BW Authors and Analysts Individual User Authors and analysts require advanced
analysis functionality and the ability to
perform special data analysis. To
accomplish their tasks, they need useful,
manageable reporting and analysis tools.
More information:
Authorizations for Query Definition and
Information Broadcasting

BW Executives and Knowledge Workers Individual User Executives and knowledge workers require
personalized, context-related information
provided in an intuitive user interface. They
generally work with pre-defined navigation
paths, but sometimes need to perform
deeper data analyses.
More information:
Analysis Authorizations

BW Information Consumers Individual User Information consumers require specific

information (snapshot of a specific data set)
to be able to perform their operative tasks.
More information:
Analysis Authorizations

8.1.2 Authentication and Single Sign-On

Use
The authentication process makes it possible to check a user's identity before granting them access to BW or BW data. SAP NetWeaver supports various
authentication mechanisms.
BW uses the authentification and single-sign-on mechanisms provided by SAP NetWeaver. Therefore, the security recommendations and guidelines for user
administration and authentication (described in the SAP NetWeaver Security Guide) also apply to BW.
For more information, see the section on user authentication and single-sign-on in the SAP NetWeaver Security Guide.
Authentication and Single-Sign-On Mechanisms for BW
User ID and Password
BW uses a user ID and a password for logon.
For more information, see Logon and Password Protection in SAP Systems.
Secure Network Communications (SNC)
BW supports Secure Network Communications (SNC).
For more information, see Secure Network Communications (SNC).
SAP Logon Tickets
BW supports SAP login tickets. To make Single Sign-On available for several systems, users can obtain an SAP logon ticket after logging on to the SAP system.
The ticket can then be submitted to other systems (SAP or external systems) as an authentication token. The user does not need to enter a user ID or password
for authentication but can access the system directly after the system has checked the logon ticket.
For more information, see SAP Logon Tickets.
Client Certificates
As an alternative to user authentication with user ID and passwords, users with Internet applications via the Internet Transaction Server (ITS) can provide X.509
client certificates. User authentication then takes place on the Web Server using the Secure Sockets Layer Protocol (SSL Protocol). No passwords have to be
transferred. User authorizations are valid in accordance with the authorization concept in the SAP system.
More information: X509 Client Certificates.

3 Authorizations

Use
To ensure that SAP BW represents the structure of your company and meets your company's requirements, you have to define who has access to what data.
There are two different authorization concepts for this depending on the role and tasks of the user:
Standard Authorizations
You use these authorizations for the various SAP BW tools, in the Data Warehousing Workbench or in BEx Query Designer for example. The authorization
concept for standard authorizations is based on the AS ABAP authorization concept.
Analysis Authorizations
You use these authorizations to provide access to transaction data belonging to authorization-relevant characteristics, to sales data for example.
Authorizations of this type are not based on the AS ABAP authorization concept. They use their own concept based on the needs of BW reporting and
analysis instead.
Critical Authorizations
Critical Analysis Authorizations

Authorization Description

PUBLIC Page 5 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
 0BI_ALL (authorization for all values of all authorization-relevant characteristics) Every user with this authorization can access all the data at any time. Every user who
has a profile containing authorization object S_RS_AUTH and who has entered 0BI_ALL
(or has included it using an asterisk (*), for example), has complete access to all data.
For more information, see the documentation for analysis authorizations, under
Assigning Authorizations to Users.

Critical Authorization Templates

If you use authorization templates, note that some of these have wide-ranging authorizations:

Authorization Template Description

S_RS_RDEAD (BW Role: Administrator (Development System)) These authorization templates contain wide-ranging authorizations on authorization
object S_RFC.

S_RS_ROPAD (BW Role: Administrator (Production System))

S_RS_TREQD (BW: Load Data (ALE, IDocs, RFC, Batch, Monitoring))

S_RS_RDEMO (BW Role: Modeler (Development System)) These authorization templates contain authorizations for all InfoProviders on
authorization object S_RS_COMP.

S_RS_TREPU (BW: Reporting User)

More Information
Authorizations in the Documentation for SAP BW
Authorization Log for Analysis Authorizations
Checking Analysis Authorizations as Another User
Using ABAP Routines in Analysis Process Designer

3.1 Authorization Log for Analysis Authorizations

Use
A tool is available for analysis authorizations, which enables you to analyze authorization checks. It provides detailed information on authorization-relevant data
access instances. This check can be switched on or off permanently, or as and when required - depending on the users involved. Access to this analysis tool
should be protected using transaction RSECPROT and authorization object S_RSEC. Only authorized users should have access to the tool.
More information: Error Log

3.2 Checking Analysis Authorizations as Another User

Use
On the analysis authorization management screen, you can call specific transactions as another user by choosing Execute as... on the Analysis tab page. All
checks for analysis authorizations (and only these authorizations) are run for the specified user. This makes it possible for a user to gain access to more
authorizations than s/he would normally have. This transaction should therefore be specially protected using authorization object S_RSEC.
More information:
Management of Analysis Authorizations
Overview: Authorization Objects

3.3 Using ABAP Routines in the Analysis Process Designer

Use
In the Analysis Process Designer, you can transform data using an ABAP routine.
Note that when you create and edit the ABAP routine in an analysis process, S_DEVELOP is not checked. You need authorization for the authorization object
RSANPR and activity 36 (extended maintenance).
In productive systems in particular, this can result in a situation where unauthorized users can edit and execute ABAP routines.

4 Network and Communication Security

Use
Your network infrastructure is extremely important for your system security. Your network needs to support the communication necessary for your business needs
without allowing unauthorized access. A well-defined network topology can eliminate many security threats based on software flaws (at operating system level and
application level) or network attacks such as eavesdropping. If users cannot log on to your application or database servers at the operating system or database
layer, then there is no way for intruders to compromise the machines and gain access to the backend system's database or files. In addition, if users are not able
to connect to the server LAN (local area network), they cannot exploit known bugs and security gaps in network services on the servers.
The network topology for the SAP BW (BW) is based on the topology used by the SAP NetWeaver platform. For this reason, the security guidelines and
recommendations described in the Security Guide for SAP NetWeaver are also valid for BW. Details that are especially relevant for BW are described in the

PUBLIC Page 6 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
 following sections.

8.2.1 Communication Channel Security

Use
BW uses the following communication paths and protocols:
RFC is used as the protocol for the following communication paths:
Front end and application server
Application server to application server
AS Java and application server
SAProuter and application server
Connection to database
For more information on the secure usage of RFC for communication between systems, see RFC/ICF Security Guide.
HTTP, HTTPS, SOAP is used as the communication path between Web browser and application server.
RFC connections can be protected using Secure Network Communications (SNC). HTTP connections are protected using the Secure Sockets Layer (SSL)
protocol. SOAP connections are protected with Web services security.

Recommendation
We strongly recommend using secure protocols (SSL, SNC) whenever possible.

For more information, see "Transport Layer Security and Web Services Security" in the SAP NetWeaver Security Guide.

8.2.2 Communication Destinations

Use
Connection destinations are required in the following BW areas:
Using TREX
RFC destination in the BW system
For more information, see BW Customizing under TREX Connection .
Connecting data sources to the BW system
These destinations are not usually shipped with the software. Instead, they are created on the customer's system.
If you want to connect SAP systems and non-SAP data sources (as source systems) to BW, you usually need RFC destinations.
To use UD Connect, you need an RFC destination to the Application Server Java. For more information, see BW Customizing under UDI Settings by
User Scenarios UD Connect Settings .
The Myself BW destination is automatically created when the BW Data Warehousing Workbench is opened for the first time.
The background user and the background user in the source system are responsible for communication between BW and source systems (in the case of
SAP source systems). The BW background user requires the S_BI-WHM_RFC authorization profile. The background user requires the S_BI-WX_RFC
authorization profile in the SAP source system. For more information, see Authorization Profiles for Background Users.

4.3 Network Security

Use
When using the BW, note the information under "Network and Communication Security" in the SAP NetWeaver security guidelines.
We recommend the use of firewalls to control the network traffic in your system landscape. A firewall comprises hardware and software components that specify
which connections are permitted between communication partners. The firewall only allows the specified connections to be used. All other others are blocked by
the firewall. For more information, see "Using Firewall Systems for Access Control" in the SAP NetWeaver security guidelines.
To secure RFC connections or connections with Internet protocols, we recommend that you use Secure Network Communications (SNC) or Secure Sockets Layer
(SSL) as your security method.

4.4 Web Services und ICF Services in BW

Use
Various different Web services and ICF services are delivered with SAP Business Warehouse.

ICF Services
ICF services are based on the Internet Communication Framework (ICF) of the SAP NetWeaver Application Server. ICF services are HTTP services that are used
to execute HTTP request handlers. The BW HTTP services allow you to display or exchange BW data using a URL. Some of these services are implemented as
Web services.
Structure of the URL
The URL of an HTTP service delivered in a BW namespace has the following structure:
<Protocol>://<Server>:<Port>/sap/bw/<Service>
URL Prefix

PUBLIC Page 7 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
 The values used for the place holder in the specified URL schema depend on the installation. For <Protocol>, http and https can be selected. For <Server>, enter
your message server.
You can check which URL prefix your BW system has generated as follows:
1. Call Function Builder (transaction SE37).
2. Enter RSBB_URL_PREFIX_GET as the function module.
3. Choose Test/Execute. The Test Function Module screen appears.
4. As import parameter I_HANDLERCLASS, enter the name of the ICF handler (HTTP Request Handler) for the required service.

Note
You can find out the name of the ICF handler in the Maintenance of Services (transaction SICF). Navigate to the required service component in the HTTP
service tree. Double-click to open the Change/Create a Service dialog box. The HTTP request handler for the service is displayed on the Handler List
tab page.

5. Choose Execute. Export parameter E_URL_PREFIX contains the generated URL prefix.
Service:
Enter the technical name of the required service here. The name comprises all the elements of the path in the HTTP service tree (transaction SICF).
Prerequisites for Using the Service
The required HTTP service must be active.

Note
To check this, navigate to the required service component in Service Maintenance (transaction SICF). If the service is active, you cannot select the Activate
Service entry in the context menu.

Delivered Service
The following service is implemented as a Web service:
Open Analysis Interfaces (see XML for Analysis)

Web Services that are not in the BW Namespace

For details of the procedure for building URLs for Web services that are not in the /sap/bw namespace, see the documentation for these Web services.
Under /sap/bc/webdynpro, you can find the service for viewing the Web Dynpro-based metadata repository (see Analyzing Metadata with the Metadata
Repository).
Under /sap/bc/webdynpro/sap, you can find the WDA_EQ_manager service. You need this in order to use the Easy Query Manager (see Configuring
Easy Queries).
The Web services that you have created are also not located in the BW namespace (see Transferring Data via Web Services).

5 Security for Data Storage

Use
Data Storage
In BW, data is stored on the application server database.
If end users evaluate data using Microsoft EXCEL, they can also store data locally. The end user has to make sure that no unauthorized person can access the
locally stored data.
You can protect data from being accessed by unauthorized end-users by assigning analysis authorizations. In the default setting, data is not protected. However,
you can flag InfoObjects in BW as authorization-relevant (see Tab Page: Business Explorer). Data can then only be accessed if the user has the required
authorizations.
Data in BW is mainly accessed for read purposes. In planning however, data is also modified. More information: Planning Engine.
Protecting Access to the File System Using Logical Paths and File Names
In transaction RSCRM_BAPI, query extracts can be created by writing the query results to files on the application server. To maintain system integrity, it is
important to specify where these files will be explicitly stored. This is done by specifying logical paths and file names that are assigned to the physical paths.
This assignment is validated at runtime to ensure that files are generated in the correct name range.
The following lists show the logical file names and paths used in this context and the programs that these file names and paths apply to:
Logical File Name Used in this Application
The following logical file name has been created in order to enable validation of physical file names:
RSCRM_FILE_EXTRACT_PATH
Programs that use this logical path name and the parameters used in this context:
RSCRM_BAPI_REMOTE
CL_RSCRMBW_TOOLS
Logical Path Names Used in this Application
The logical file name listed above uses the logical path name RSCRM_FILE_EXTRACT_PATH.
We recommend defining the physical path that is assigned to the temporary directory.
Activate Validation of Logical Paths and File Names
These logical paths and file names are specified in the system for the corresponding programs. To ensure downward compatibility, validation at runtime is
deactivated by default. To activate validation at runtime, specify the physical path with transactions FILE (non-client specific) and SF01 (client-specific). To find
out which paths are used by your system, you can activate the relevant settings in the security audit log.
More information:

PUBLIC Page 8 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
 Logical File Names
Protecting Access to the File System Using Logical Path and File
Security Audit Log
Data Protection
LOPD Access Logging in Reporting and Planning Applications
The Spanish data protection law L ey O rgánica de P rotección de D atos de Carácter Personal (LOPD) stipulates certain rules that companies have to observe
when processing, saving and handling personal data. These rules involve logging all access to highly-sensitive personal data. SAP BW provides a mechanism
for LOPD logging of access to data in reporting and planning applications. For more information, see SAP Note 933441 .

6 Security-Related Logging and Tracing

Use
Logging Security-Related Changes and Authorization-Related Activities
The following tables are used to log changes to analysis authorizations and other authorization-related activities:
RSUDOLOG
This table contains log information about execution of a query (or other transaction) in the administration transaction for analysis authorizations in Query Monitor
(transaction RSRT) by one user for another.
For further information about executing transactions (especially RSRT) with another user, see Management of Analysis Authorizations and Checking Analysis
Authorizations as Another User.
The log data includes the following:
User name of the user who has executed a transaction under another user name
User name of the other user
The transaction that was executed
Password prompt flag
Flag to show correct password entered
Session ID
Time stamp
RSECVAL_CL
This table contains log information about changes to value authorizations. The log data includes the following:
The authorization that was changed
The characteristic that the authorization was changed for
Object version of the characteristic
Session ID
Time stamp for the change
RSECHIE_CL
This table contains log information about changes to hierarchy authorizations. The log data includes the following:
The authorization that was changed
The characteristic that the authorization was changed for
Object version of the characteristic
Hierarchy-specific data
Session ID
Time stamp for the change
RSECUSERAUTH_CL
This table contains log information about the assignment of analysis authorizations by users in the administration transaction for analysis authorizations.
More information: Assigning Information to Users
The log data includes the following:
Authorization
Use name of the user whom the authorization was assigned to
Time stamp
Session ID

Note
You can analyze changes to value and hierarchy authorizations and to user-user authorization assignments using InfoProviders from the technical
content. More information: Change Documents (Legal Auditing).

RSECTXT_CL
This table contains log information about changes to authorization texts. The log data includes the following:
The authorization that was changed
The authorization's short, medium and long text
Session ID
Time stamp for the change:
RSECSESSION_CL
This table contains log information about user activities in the session, including the date and time of any changes made. You can use this table to find out which
user values, hierarchy authorizations or authorization texts have been changed.
Logging LOPD-Relevant Access in Reporting and Planning Applications
SAP BW provides a mechanism for logging access in reporting and planning applications, which are security-related in accordance with the Spanish data

PUBLIC Page 9 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
 protection law L ey O rgánica de P rotección de D atos de Carácter Personal (LOPD) sicherheitsrelevant sind. For more information, see SAP Note 933441 .

7 Further Security-Relevant Information

Use
E-mail encryption when distributing BEx objects
Information broadcasting uses SAP NetWeaver interface SAPconnect to create and send e-mails with BEx objects. This interface does not support encryption or
certificates. E-mails created in the SAP system using Information Broadcasting are therefore not encrypted and do not have certificates.
However, SAP supplies you with an additional product from another provider (the Secure Email Proxy), which allows you to encrypt e-mails.
More information: SAPconnect, in particular the section section Secure Email

8 Security-Related Information for BI Java

Use
The following sections provide security-related information to supplement the Security Guide for SAP BW when using usage type BI Java. These sections do not
constitute a security guide in their own right. They should be read in conjunction with the corresponding sections in the Security Guide for SAP BW.

8.1 User Management and Authentication

8.1.1 User Management

Use
For information about standard users that are specified during installation of Application Server Java, see the SAP NetWeaver Application Server for Java
Security Guide, under User Management and Standard Users .

Caution
Change initial passwords after installation to ensure that standard users cannot be misused.

8.1.2 Authentication and Single Sign-On

Use
The portal is the central entry point for users in SAP NetWeaver. It supports and issues SAP logon tickets. BEx Web applications are usually called from the
portal. The integration of BW and the portal enables access from BW too, where Single Sign-On is also supported.
The following graphic illustrates the interaction between BW and the portal in terms of single sign-on:

PUBLIC Page 10 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
 8.1.2.1 Calling BEx Web Applications from the Portal
Calling BEx Web applications from the portal is like calling applications from other components. Single-sign on means that you do not have to log on to BW
manually.
Overview

Portal (explicit authentication at the portal; Web browser → BEx Web application (implicit authentication in BW with
receives portal ticket) portal ticket)

The following settings have to be made for Single Sign-On when calling BEx Web applications from the portal:
BW system must accept tickets
BW system must have imported the portal certificate in order to authenticate tickets from the portal
See also:
SAP Customizing Implementation Guide → SAP NetWeaver → SAP Business Warehouse → Settings for Reporting and Analysis → BEx Web → Integration into
the Portal
→ Configuring Single Sign-On in the BW System
→ Exporting the Portal Certificate in the Portal
→ Import the Portal Certificate to the BW System

8.1.2.2 Information Broadcasting as Background Processing

When BW objects are precalculated and distributed using background processing, BEx Web applications are executed, and the generated HTML documents are
stored in the Knowledge Management folder or distributed by e-mail.
Broadcast settings are made in the background
if they were registered for execution at a specific time
if they were registered for execution when data was changed, and the data change event was triggered from a process chain
if they were scheduled directly in background processing
A scheduling user has registered or scheduled broadcast settings for another user.
This is the case if:
the authorized user in the broadcast setting is not the scheduling user
the broadcast setting requires user-specific execution for users other than the scheduling user
For security reasons, the system runs a check during processing to ensure that the scheduling user is authorized to schedule background tasks for the other
user(s) (authorization object S_BTCH_NAM).
A job can be executed in the background under various user names, which means the HTML documents are generated according to user-specific authorizations.
Storage in a Knowledge Management folder is triggered using an RFC call from ABAP to Java. Authentication is performed by automatically generating SAP logon
tickets. Automatic generation is defined in the RFC destination. The corresponding user must have write authorization for the selected Knowledge Management
folder.

PUBLIC Page 11 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
 When using distribution by e-mail and precalculation of BEx workbooks with Microsoft Excel, no portal functions are required.
Overview

Precalculation and generation of documents (explicit → Storage of documents in Knowledge Management (implicit
authentication in the BW occurs during job scheduling) authentication in the Portal with BW ticket)

More information: Broadcasting BEx Objects.

8.1.2.3 Information Broadcasting in the Web

You can use BEx Broadcaster to distribute or set the scheduling for background processing of BEx Web applications directly in the Web.
BEx Broadcaster is a special Web item that behaves like a normal BEx Web application and runs in SAP BEx. Input help is provided for selecting a Knowledge
Management folder to store the precalculated documents. This is implemented as a portal iView (com.sap.ip.bi.portalnavigation.folderselection).
There are three different scenarios:
1. BEx Broadcaster is Called Directly in the Web Browser
If BEx Broadcaster is called directly in the Web browser, authentication is required in the BW system. When the input help is called for the KM folder, a second
authentication is required in the portal.
Overview

BEx Broadcaster (explicit authentication in BW, Web → Input help (explicit authentication in the portal because the
browser receives BW ticket) portal does not accept a BW ticket)

2. BEx Broadcaster is Called in the Portal

If BEx Broadcaster is called in the portal, authentication takes place implicitly with the BW system if the appropriate Single Sign-On has been set up between the
portal and BI (see Calling BEx Web Applications from the Portal).
Overview

Portal (explicit authentication at → BEx Broadcaster (implicit → Input help (implicit authentication
the portal; Web browser receives authentication in BW with portal at the portal with portal ticket)
portal ticket) ticket)

3. The settings described in Publshing to the Enterprise Portal

If the settings have been made, the portal accepts tickets from the BW system. There then no explicit authentication in the portal (described under point 1) when
you call input help.
Overview

BEx Broadcaster (explicit authentication in BW, Web → Input help (implicit authentication at the portal because the
browser receives BW ticket) portal does not accept a BW ticket)

Multiple portals can be connected to a BW system. See SAP Customizing Implementation Guide → SAP NetWeaver → SAP Business Warehouse → Settings
for Reporting and Analysis → BEx Web → Integration into the Portal → Maintain Portal Server Settings for the Portal. The portal that is designated as the standard
portal is used when the input help for the KM folder is called.

8.1.2.4 Publishing to the Portal

When publishing to the portal in BEx Web Application Designer, the portal roles assigned to the user and the personal folders in Knowledge Management are
displayed.
To get this personalized information from the portal in BEx Web Application Designer, the user in the BW system has to be assigned a user in the portal.
Assignment is not necessary if the technical user name in the portal and in BW are identical. After assignment, the portal user has to be authenticated.
Authentication takes place using the BW ticket that BEx Web Application Designer receives during explicit logon. The portal requires the BW certificate to validate
the BW tickets.
Overview

BEx Web Application Designer (explicit authentication in → Portal (implicit authentication on the portal with BW ticket)
BW system, BW ticket available)

For publication to the portal in BEx Web Application Designer, the following settings must be made:
The BW system must generate tickets
The portal must have imported the BW system BW certificate, in order to authenticate tickets from BW
You must configure the user assignment in the portal if the technical user names are not the same.
See also:
SAP Customizing Implementation Guide → SAP NetWeaver → Business Intelligence → Settings for Reporting and Analysis → BEx Web → Integration into the
Portal
→ Configuring Single Sign-On in the BW System
→ Exporting the BW Certificate in the BW System
→ Importing the BW Certificate into the Portal
→ Configuring User Assignments in the Portal

8.2 Network and Communication Channel Security

PUBLIC Page 12 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.
 8.2.1 Communication Channel Security

Use
When using BI Java, there is another communication path: AS Java and Application Server This connection uses RFC.
HTTP, HTTPS, SOAP is used as the communication path between Web browser and application server. When using Web applications, we recommend
activating encryption for HTTPS.
For more information about the communication paths for AS Java and the associated security mechanisms, see Transport Layer Security .

8.2.2 Communication Destinations

Use
When using BI Javam the following connection destinations may be required:
BEx Web
RFC destination on the Application Server Java
RFC destination for portal
For more information, see Automatically Configuring BI Java .
Connecting UD data sources to the BW system
To use UD Connect, you need an RFC destination to the Application Server Java. For more information, see BW Customizing under UDI Settings by
User Scenarios UD Connect Settings .
The background user and the background user in the source system are responsible for communication between BW and source systems (in the case of
SAP source systems). The BW background user requires the S_BI-WHM_RFC authorization profile. The background user requires the S_BI-WX_RFC
authorization profile in the SAP source system. For more information, see Authorization Profiles for Background Users .

8.3 Security with Data Storage

Use
Data Storage
If evaluations and analyses are called using BEx Web applications, data is displayed in a Web Browser. Data is then stored in a browser cache. We recommend
always deleting the browser cache after evaluating data.
Data Protection
Using BEx Tools in SAP NetWeaver 2004
If using BEx tools in SAP NetWeaver 2004, note the following:
BEx Web applications can be implemented either as stateful or stateless applications. Use the BEx Web runtime for Web application session cookies with a
state to combine independent requests (the function calls in a Web application, navigation steps for example) for a session. These cookies are called sap-
contextid. The cookie contains a generated ID as a value. This ID allows the relevant session to be identified on the server. The session cookie is a temporary
cookie. It is deleted automatically when the browser window is closed. The server also has a timeout parameter. The session cookie is invalid after the timeout and
can no longer be used for navigating in a Web application. Using Web template attribute NO-SESSION_COOKIE , you can use the session coding in the URL
for the Web application. In this case, no session cookies are generated. To ensure that the Web application uses the session coding in the URL, set X for the NO-
SESSION_COOKIE attribute.

8.4 Other Security-Relevant Information

Use
SAP BEx uses JavaScript in the Web Browser when executing Web Applications. For minimum configuration, you have the option of deactivating JavaScript.
However, we recommend that you do not deactivate JavaScript. Deactivating JavaScript means that it is no longer possible to use all of the Web items and
dialogs on the Web. Navigation options in Web applications would also be considerably restricted.

PUBLIC Page 13 of 13
© 2014 SAP SE or an SAP affiliate company. All rights reserved.